Understanding ISO 26262
To maintain compliance, your team must put the right processes and tools in place to assess and mitigate risks.
What is the ISO 26262 Functional Safety Standard?
ISO 26262 – Road Vehicles – Functional Safety, published in 2011, provides a unifying safety standard for automotive E/E systems that power an increasing number of vehicle functions, from driver assistance and telematics to engine management and entertainment.
The standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior to electrical/electronic systems.” It regulates system hardware and software through every step of the product lifecycle, including development, production, operation, service and decommissioning.
In general, the ISO 26262 standard:
The 2018 edition added specific sections for semiconductor production and motorcycles, as well as information about the following:
- Objective-oriented confirmation measures
- Management of safety anomalies
- References to cybersecurity
- Updated target values for hardware architecture metrics
- Evaluation of hardware elements
- Additional guidance on dependent failure analysis
- Guidance on fault tolerance, special safety-related characteristics and software tools
- Guidance for model-based development and software safety analysis
Why is ISO 26262 Important?
Modern vehicles are increasingly controlled by electronic systems. What started as a mechanical machine has evolved into a vehicle run by sophisticated Electronic Control Units (ECUs) and software. If these systems malfunction or fail, they can potentially pose serious consequences, from financial loss, legal liability and regulatory action for OEMs and suppliers, to injury and loss of life for end users.
ISO 26262 addresses these changing dynamics. It responds to the need for an international, automotive-specific standard that focuses on safety-critical E/E components. It sets clear standards that enable manufacturers to proactively manage functional safety through the entire lifecycle of the automotive system, from the earliest stages of product development to the point when a vehicle is retired.
This holistic approach means software and hardware teams can better integrate their efforts and create a system of traceability between phases. By identifying and mitigating E/E failures up front, and carrying these functional safety measures between phases, ISO 26262 can have a positive impact on all stakeholders.
How does ISO 26262 Work?
Sometimes the best-in-class ECU comes with a price tag that's out-of-reach. And sometimes a 'good deal' on an ECU isn't what it seems.
Look for an ECU supplier who can help you understand the differences between prototype pricing and pricing for production--and make sure that the supplier can scale with you as your business changes.
The 12 Parts of ISO 26262
The original 2011 edition of ISO 26262 featured 10 parts, but ISO updated the standard in 2018 to address emerging technologies and cover a broader scope that now includes trucks, buses, trailers, semi-trailers and motorcycles.
As a result, the 2018 standard now features 12 sections. Each part offers guidance that enables your team to evaluate risk and establish corrective measures to proactively manage functional safety. While the 2018 standard exempts components released for production prior to publication, as well as systems under development during publication, the 12 parts do address altering existing systems and integrating non-compliant systems by tailoring the safety lifecycle to meet the requirements.
Part 1 – Vocabulary
Part 2 – Management of Functional Safety
Part 3 – Concept Phase
Part 4 – Product Development at the System Level
Part 5 – Product Development at the Hardware Level
Part 6 – Product Development at the Software Level
Part 7 – Production, Operation, Service and Decommissioning
Part 8 – Supporting Processes
Part 9 – Automotive Safety Integrity Level (ASIL)-Oriented and Safety-Oriented Analysis
Part 10 – Guidelines on ISO 26262
Part 11 – Guidelines on Application of ISO 26262 to Semiconductors
Part 12 – Adaptation of ISO 26262 for Motorcycles
What is ASIL?
Central to ISO 26262 compliance, the Automotive Safety Integrity Level (ASIL) rating system sets the standard for assigning levels of risk to potential E/E system malfunctions or failures. Ultimately, the system ensures you end up with no safety-related single points of failure in the E/E system of a vehicle. Vehicles must meet or exceed ASIL thresholds prior to production to be considered road safe. To conduct the ASIL rating process, you begin with a Hazard Analysis and Risk Assessment (HARA). The assessment addresses a basic question: “If a failure arises, what will happen to the driver and associated road users?” The HARA identifies and classifies hazardous events caused by malfunctioning behaviors within an E/E system.
Using three main criteria, you assess each hazard based on the relative effect it will have on the overall E/E system:
- Exposure – the probability the hazard will occur. Ratings include none, very low, low, medium and high.
- Severity – potential injuries to the driver and/or passengers. Ratings include no injuries, light and moderate injuries, severe and life-threatening injuries (survival probable), and life-threatening (survival uncertain) and fatal injuries.
- Controllability – the probability a typical driver can prevent injury from occurring. Ratings include controllable, simply controllable, normally controllable, and difficult to control or uncontrollable.
After you assess all potential hazards, you create safety goals to prevent or reduce each hazard. Each safety goal receives an ASIL rating, as defined by the ISO 26262 standard.
ASIL ratings include QM (quality managed), A, B, C and D. QM represents the lowest risk of hazard while D indicates the highest hazard level. As a result, an ASIL-D rating requires the most attention in terms of safety-critical processes and testing requirements. For help with the ratings process, you can refer to guidelines outlined in the SAE J2980 – Considerations for ISO 26262 ASIL Hazard Classification.
Not surprisingly, the cost and complexity of compliance can increase significantly with each ASIL level. While an ASIL A rating may have limited effects on your development process, an ASIL D rating can have a much more significant impact on timing and costs.
ASIL decomposition, a process where ASIL levels and requirements are broken down over redundant and sufficiently independent elements within the design, can help. The process typically follows a predefined pattern and must result in redundant safety requirements allocated to design elements of sufficient technical independence. Ultimately, it can help you meet safety requirements while reducing costs and minimizing efforts.
How to Stay ISO 26262 Compliant
To achieve and maintain ISO 26262 compliance, your team needs to pull together the right mix of talent and tools to incorporate the standard into your product development and efficiently move your systems to market.
Automotive functional safety engineers (AFSE), who complete rigorous training in hardware and software safety practices, and execution of HARAs, make effective project leads.
These certified professionals can help your engineering teams repeatedly evaluate work to look for errors, redundancies and single points of failure that could cause malfunctions in the end-product vehicle.
Development and testing tools can also enhance your capabilities. They can help with requirements traceability, efficiency of code authorship, fault-tree analysis and requirements-based testing.
Partner with the Experts
To keep your project on track, consider partnering with New Eagle. Our engineering consulting services, as well as our full range of ISO-capable software and hardware options prepare you for ISO 26262 compliance – and help you stay there. Our AFS-certified engineering consultants can design a production control system to get your vehicle on the road safely and quickly. They can assess systems and develop functional safety concepts to help you meet ASIL ratings and ISO 26262 requirements.
Our Raptor-Dev embedded model-based development software increases the efficiency of your software development and can be used with MathworksTM toolboxes to provide traceability to safety requirements. Our Raptor-Test tool performs automated regression tests of both software and hardware to make sure your system meets requirements at the final stages of development.